Posted
by
timothy
on Tuesday March 23, 2010 @01:51AM
from the fuer-ihre-sicherheit dept.

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

looking at your list, there was one advisory in 2009, one in 2008, and then one in 2006. I think what is happening here is lynx is just introdusing a minor security flaw about once a year just so they can hang out with all the cool kids. They are just trying to be "edgy" and "hip".

I agree... if you're not satisfied with the default ugliness you can download and apply a number of themes that will raise the ugliness to previously unattainable levels.

Seriously, I tried a lot of themes and most of them make the interface fuzzier and harder to see and operate. Most themes are developed by "pimp my desktop" types and not by UI experts aiming for higher usability with pleasing aesthetics.

As soon as I read about this on/. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.

Wanna guess what the difference is? They have security-obsessed people in charge.

Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

Not uniformly. They've got some significant problems (e.g., a non-thread-safe getaddrinfo() for goodness' sake! They've not even bothered to put a lock internally, despite the fact that the specs for these functions have required thread safety since RFC 2553 [ietf.org], i.e., over 10 years...) but they perhaps aren't strictly security problems. Just major functionality issues that every other vendor addressed long ago.

Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.

Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.

It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).

Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.

I think you are right but your proposal misses one vital feature - this switcher should also fully automatically transfer all our account information to the tax man - that would save the government some millions usually charged for bank accounts info stolen from swiss banks.

Better yet, free software authors (developers) aren't hiding anywhere. It would be hard to contact IE team but Mozilla developers can be reached easily, via mail or even IRC.

Posting this warning while it is easy to figure/ask 3.6.2 is OTW really requires some review by German Govt. For example, did someone from that team have some dinner/launch with some company executive lately?

You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

Opera takes less than a week usually (and the occurrence of exploits is less also).

The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.

While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.

None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?

Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..

..exploit found..went unpatched for a month..only got patched because the person who discovered it pointed right at it.

In other words, one case does not a rule make. And your last line makes your entire post crumble because it's a totally unfounded claim (whether it is true is moot, it's just totally unrelated to the subject at hand and is backed up in no way).

This is all very strange - on BSI [bsi.bund.de] (this is what the german abbreviation of Federal Office for IT Security is) site there is nothing about this, BuergerCert [buerger-cert.de] site informs about new upcoming release of firefox that is going to fix unspecified security problem. If you compare it with IE warning from some time ago there is a difference - back then BSI issued a warning telling people not to use compromised software that is actively used for attacks and here you have a warning based on information of new release.

It is "bloated" in the sense of feeling slow to begin with. XUL and XML based GUI is probably the worst idea ever. If you've ever used Opera, you know just how fast and snappy the UI feels. This is what has always put me off from Firefox - it just doesn't feel good.

Seriously? I'm all for the opinion that Firefox is becoming the Winamp of browsers, with that best of the rest feel rather than the best feel. But Opera really doesn't have a snappy UI or a snappy feel. Opera is a great browser but has always felt clunky and dopeish. Not to mention that with the same tabs open in both Opera and Firefox, Opera is the one that feels the most sluggish.
I fully agree that Firefox is making some disastrous decisions, taking a month to fix a reported bug is beyond acceptable, b

Just days before the start of a hacking contest set to target Web browser vulnerabilities, Mozilla has patched its flagship Firefox browser....

Mozilla had been under pressure to fix the bug, after it was included by Russian security researcher Evgeny Legerov last month in his VulnDisco hacking tool, which is sold as an add-on to the Canvas penetration testing kit.

Yes, but there is this little detail, which, if you had read http://secunia.com/advisories/38608 [secunia.com], you would know. It was not clear that this was a real bug, there were no details known.A fairly unknown researcher claimed there was a zero day in firefox, without giving enough details to tell where the bug is.So what happened was that somebody, who we not know if he is to be trusted, claimed there was a bug. Imagine!Reaction time from knowing the details to roll-out was far better, at least in this case. This

Although note that other vulnerabilities with exploits in the wild and being actively used affect the 3.5 branch. I've had malware installed on my machine by drive-by redirects in advertising on otherwise trustworthy sites (TPB, for instance). If you're on 3.5, upgrade now.

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie [sandboxie.com] or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

Sometimes I wonder if application virtualization like Sandboxie should be part of the OS. Not just Windows, but on UNIX as well. With ZFS, this is easier because a directory can be rolled back fairly easy due to the snapshot functionality.

Another cool idea is how Thinstall (well, now called VMWare ThinApp) packages apps. The app thinks it has admin rights and can happily doodle around the Registry and the filesystem, but in reality, all it does is just modify stuff stored in \users\blarf\appdata\roaming\

Only if that app does not have to communicate in any way with the rest of the system. What people encouraging virtualization tends to forget is that a multi-tasking OS already have means of protection. The memory an application sees is virtual, and the access to the rest of the system often enforces a security-model.

Still, however, the user has little use for isolated applications that cannot talk to others. A modern web-browser more or less requires other apps to be of any use, such as flash, a pdf viewer,

That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

No, it's an attempted government takeover of the IT sector. Do you really want a government bureaucrat telling you what you can or can't do, what sites you can visit, or what browser you should use? I say let the free market decide. This country was founded on the ideas of personal responsibility, freedom and liberty,

As far as I can see, the BSI didn't release a new EU DIN which required "any browser except Firefox 3.6 until Firefox 3.6.2".So where do you see a bureaucrat telling you what you have to do?`

It works completely different. If an organisation gets into IT trouble in the next time and the root cause can be determined to be the usage of a pre 3.6.2 release of Firefox 3.6 it can't claim "act of God", because they have been warned.

not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clea

Note as well that the headline of this writeup appears to be misleading. I read the article and nowhere does it say the German government is actually warning AGAINST using Firefox, they are simply warning the public of a security issue in the browser.

Specifically, the article states that the government is also warning people against switching browsers "willy nilly" every time a security hole is found because you never know what you'll be getting into. They're saying to be cautious if you're using Firefox

The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency.
And the BSI is so much the government as it is the police or judges.

"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."

OH SNAP SON! So much for those skilled contractors and their superior skills.

A security vulnerability in Opera 10.50 and previous versions of the web browser was uncovered by security research company VUPEN Security. The issue is caused by a buffer overflow error when the user visits a website with malformed HTTP headers.... the vulnerability can be exploited by attackers to crash the browser and execute code on the computer system.

It is recommended to only access trustworthy websites until a patch is released or sw

Or just stay with the 3.5.x series [mozilla.org]. Problem is, I don't see where they even link to it on their website. Even the 3.5.8 release notes [mozilla.com] page seems to link to 3.6 for downloads...

So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?

If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and

This is what I was wondering, however the firefox site does point to the experimental 3.6 version last time I checked. When I upgraded to 3.5.8, I had to find the ftp site to download it. WTF? I know they want testers, but seriously, that is crap.

The mozilla project isn't so immature they need lots of people testing their new experimental code. I could see them putting a note on the main page saying "Hey, some of you try out our experimental version 3.6, it has new wiz bang technologies! (not ready for pr

Because reverting to older versions increases the chances of accidentally getting part of, say the 3.5.x branch, that isn't 3.5.8 and does have unpatched vulnerabilities. Remember that we're not really talking about/. users here - we already know about the current vulns, patches, workarounds and alternatives - but "regular" users of Firefox who are used to just clicking on the "Firefox x.x Free Download" link on the getfirefox.com frontpage.

If I'm reading this correctly, the vulnerability is in WOFF fonts (what is a WOFF font?) and possibly allows some heap corruption. How do these various "exploits" actually get the Firefox code to execute out of the heap? I.e. one presumably has to either scribble on some known call-back function address in the heap, or somehow scribble on the stack (so Firefox/Seamonkey functions return to the exploit code in the heap) and isn't the data in the heap non-executable (at least under Linux)? I would expect t

I'm undoubtedly missing something, but why is installing a program in my personal folder a bad idea? It allows non-elevated installs, has no access to files outside of the user dir unless granted, allows each user to have a totally separate installation so fucking one up doesn't fuck up everyone else's, no registry entries aside from ones to HKCU, uninstalls don't mess everyone else's life up, no reboots on uninstall... I don't get it?

It's a complete non-starter on a computer with multiple user accounts. How do you update it? Do you really want to update every single version separately? Really? What about corporate environments?

Firefox installer isn't great for corporate Windows environments either because it isn't delivered as an MSI package. Why on earth the FF people can't follow a nearly 10 year old platform packaging standard is beyond me. Yes you can get FF MSI packages from 3rd parties but that has its own problems and barri